Thank you for using Amex Express Checkout (the “Amex Service”) with Braintree, a division of PayPal, Inc. (“Braintree”). The Braintree integration of the Amex Service allows U.S. American Express® Card Members to check out quickly at participating online merchants by using their americanexpress.com account login. With the Amex Service, Card Members simply use their existing americanexpress.com User ID and Password, and American Express auto-fills the checkout fields with their American Express Card details and relevant account information in just a few clicks. The Amex Service is not a wallet, and does not require a Card Member to create or manage a new account.
These Amex Express Checkout Merchant Terms and Conditions (as amended from time-to-time, these “T&Cs”) are made between the sole proprietor or business organization listed as the “Merchant” on the Braintree Service registration page (sometimes referred to as “you” or “Merchant”) and American Express Travel Related Services Company, Inc. (“Amex” or “we”). These T&Cs govern your use of the Amex Service. In addition, your use of the Amex Service is subject to your ongoing compliance with the Agreement for American Express® Card Acceptance between you and us, including the American Express Merchant Regulations – US, if applicable, and the American Express Data Security Operating Procedures (“DSOP”) (collectively, the “CAA”), which is incorporated herein and will apply to the parties’ activities hereunder mutatis mutandis. The Amex service is offered in conjunction with the gateway services offered by Braintree.
You understand and agree that: (1) once you have accepted these T&Cs and from time-to-time during the term of these T&Cs, Amex may conduct a review to confirm your eligibility to use the Amex Service; (2) Amex may require you to implement certain changes and/or provide us with certain information in order for you to be eligible to use the Amex Service; (3) before you implement any changes required by Amex, as contemplated by (2) above, Amex may block the AEC Button (as defined below) and otherwise disable your use of the Amex Service. Amex will make a decision regarding your eligibility to use the Amex Service in its sole and absolute discretion.
For the purposes of these T&Cs:
“AXP Data” means the information that is provided to you in connection with the Amex Service, which may include a Card Member’s tokenized account number (“DPAN”), the DPAN expiration date, the last 4 digits of a Card Member’s card number, card expiration date, and personal information about a Card Member (e.g., first and last name, address).
“Card Member” means the U.S. American Express Card Member using the Amex Service.
“Merchant Permitted Parties” means Braintree and Merchant’s employees, independent contractors, and Affiliates that Merchant requires to Process AXP Data on its behalf in accordance with the T&Cs; provided that: (i) such parties agree to be bound these T&Cs and the CAA; and (ii) Merchant will be liable for any breach of the T&Cs and the CAA by such parties.
“Process” means to obtain, have access to, organize, copy, alter, use, disclose, erase, destroy or any other form of processing.
Subject to, and conditioned upon, your continued compliance with the CAA, these T&Cs, and applicable laws, you are granted a limited, non-exclusive, revocable, non-transferable, non-sublicensable, royalty-free right and license during the term of these T&Cs to use the AXP Data solely to complete transaction Processing, which includes transaction reversals, fraud investigations, and dispute handling in connection with a transaction. AXP Data may not be used for any other purpose. You will not pull or permit to be pulled from Braintree any AXP Data that you do not require to Process a transaction.
To the extent that you, in the course of your performance under these T&Cs, obtain access to any AXP Data that meets the definition of “nonpublic personal information” (“NPI”) under the the rules and regulations promulgated under Title V of the Gramm-Leach Bliley Act of 1999, 15 U.S.C. 6801 to 6809, you will not use such NPI, or disclose such NPI, to any Merchant Permitted Party, except: (i) to the extent otherwise permitted under this Agreement, the CAA and consistent with applicable laws; and (ii) as necessary to carry out the purpose(s) for which such NPI was obtained by or provided to you, as set forth in these T&Cs and the CAA.
In addition to your obligations pursuant to the CAA, including all obligations with respect to access, storage and use of AXP Data, you will comply with the IPCR, which is attached as Schedule 1. For the avoidance of doubt, you will delete AXP Data: (i) immediately, if a Card Member fails to complete or abandons a transaction; or (ii) if a Card Member has completed a transaction, immediately after AXP Data is no longer necessary to comply with the requirements of Section 2 of these T&Cs. Immediately following the foregoing deletion, you will notify Braintree thereof through the Braintree Service and instruct Braintree to as promptly as possible delete such Card Member’s data in Braintree’s possession. In addition, you will delete and cause each of Merchant Permitted Parties to delete cookie data immediately if a Card Member fails to complete or abandons a transaction.
You will use and will cause Merchant Permitted Parties to use their data security program to maintain, monitor and enforce reasonable organizational, administrative, technical and physical safeguards to protect the security, integrity, confidentiality and availability of customer data, including to protect against: (i) any anticipated threats or hazards; and (ii) any accidental, unauthorized or unlawful Processing, loss or other compromise of customer data. You will promptly remediate, and will cause Merchant Permitted Parties to promptly remediate, any security incidents involving (i) or (ii) above.
You will not disclose to any person any nonpublic information relating to Amex or its Affiliates, employees, independent contractors or service providers that you may come in contact with in connection with these T&Cs; provided, that you may disclose such information to Merchant Permitted Parties solely in accordance with these T&Cs.
Amex retains all rights, title, and interest to the AXP Property. “AXP Property” means: (a) the Amex Service; (b) the website artwork and hyperlink for access to the Amex Service that is provided or otherwise made available for display in the purchase path on your site(s) (the “AEC Button”); (c) the AXP Data; (d) Amex’s marks and logos; (e) any Amex application programming interfaces, and their associated tools and documentation; (f) the collection of Amex systems and applications that support Amex programs and services used for the Amex Service; (g) the Amex software development kits provided to Merchant in connection with the Amex Service (the “Amex SDK”); and (h) the technical documentation provided to Merchant in connection with implementation and use of the Amex Service (“Documentation”) and all improvements, modifications, or derivative works of any and all of the foregoing and all intellectual property contained therein or feedback provided thereto.
Braintree retains all rights, title, and interest to the Braintree Property. “Braintree Property” means the Braintree Service and all improvements, modifications, or derivative works thereof and all intellectual property contained therein or feedback provided thereto.
AXP Property and Braintree Property are collectively referred to as “Licensed Material”.
Subject to, and conditioned upon, your compliance with these T&Cs, the CAA and applicable laws, Amex grants you a limited, non-exclusive, revocable, non-transferable, non-sublicensable, royalty-free, right and license during the term of these T&Cs to access and use the AEC Button, the AXP SDK and the Documentation to the extent necessary to utilize the Amex Service in conjunction with the Braintree Service, as contemplated hereunder.
You shall adhere to all restrictions and requirements set forth in the Documentation, the AXP SDK and the relevant Amex network rules. You shall also adhere to all applicable laws. Except as expressly set forth in these T&Cs, you will not: (a) copy, transfer, sublicense, sell, rent, lease or otherwise distribute Licensed Material, or permit either direct or indirect access to or use of the Licensed Material; (b) use any automated means (for example scraping or robots) other than the those provided in the Licensed Material to access, query or otherwise collect AXP Data; (c) modify, disassemble, decompile, reverse engineer, create derivative works of, or make any other attempt to: (i) discover or obtain the source code of any Licensed Material (as applicable); (ii) send through or store infringing or unlawful material in any Licensed Material; (iii) send through or store malicious code (such as viruses or trojans) in any Licensed Material; (iv) attempt to or gain unauthorized access to, or disrupt, the integrity or performance of, any Licensed Material; (v) access any Licensed Material for the purpose of building a competitive product or service; or (vi) use any Licensed Material, or permit it to be used, for purposes of product evaluation, benchmarking or other comparative analysis intended for publication; (d) remove, obscure or otherwise modify or destroy any proprietary markings of Braintree, Amex, or other parties that may appear on any components of the Licensed Material; or (e) use Licensed Material in any unlawful manner, for any unlawful purpose or in violation of these T&Cs or applicable laws.
In addition to your indemnification obligations under the CAA, you will indemnify, defend and hold harmless Braintree, Amex, and their respective affiliates, directors, officers, agents, employees, successors and permitted assigns from and against any and all associated losses arising out of or in connection with: (a) your gross negligence or willful misconduct; (b) your violation of Applicable Laws; (c) third-party claims arising out of or in connection with your use of the Licensed Material, or your products or services, or your relationship with your customers; and (d) your breach of these T&Cs.
YOU UNDERSTAND AND AGREE THAT THE LICENSED MATERIAL AND THE AMEX SERVICE ARE PROVIDED “AS IS”, “WHERE IS” AND “AS AVAILABLE” AND WITHOUT WARRANTIES, INCLUDING STANDARD DISCLAIMERS FOR WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND SERVICE AVAILABILITY. YOU RELEASE AMEX AND ITS AFFILIATES, AND ITS AND THEIR EMPLOYEES, INDEPENDENT CONTRACTORS AND SERVICE PROVIDERS (“AMEX PARTIES”) FROM, AND AGREE THAT THEY SHALL NOT BE LIABLE FOR, ANY AND ALL LIABILITY FOR ANY AND ALL CLAIMS, AND ANY AND ALL ASSOCIATED LOSSES, INCLUDING, WITHOUT LIMITATION, IN CONNECTION WITH THE AXP PROPERTY OR YOUR ACCESS TO OR USE THEREOF.
YOU AGREE THAT INDIRECT DAMAGES (INCLUDING CONSEQUENTIAL, INCIDENTAL, PUNITIVE, SPECIAL, EXEMPLARY OR OTHER INDIRECT DAMAGES) WILL BE EXCLUDED FROM ANY AND ALL RECOVERY UNDER CLAIMS ARISING FROM OR RELATED TO THESE T&CS. FURTHER, AMEX PARTIES’ and BRAINTREE’S RESPECTIVE LIABILITIES HEREUNDER WILL BE LIMITED TO THE LESSER OF: (A) ACTUAL DIRECT DAMAGES; OR (B) $5,000.
Except for the indemnified parties set forth in Section 7, these T&Cs do not and are not intended to confer any rights or benefits on any person that is not a party hereto and none of the provisions of these T&Cs will be enforceable by any person other than the parties hereto, their successors and permitted assigns.
The governing law and arbitration provisions of the CAA will govern any and all claims, disputes, or controversies arising out of or relating to these T&Cs.
You will adhere to the following implementation guidelines and requirements:
All allowable graphics for the AEC Button are available in the Documentation, which you must use as presented and may not resize, recolor, or modify. Where using radio button implementations, the primary implementation is to leverage the payment mark in tandem with copy “Amex Express Checkout”; the secondary implementation is to leverage the button in tandem with copy “Amex Express Checkout”; and the tertiary implementation is to leverage the copy “Amex Express Checkout” on its own. You may not alter the spelling, capitalization, or styles for “Amex Express Checkout”. For instance, and without limitation, “AMEX Express Checkout”, “American Express Checkout”, and “Amex Checkout” are all incorrect uses. You will not use any other Amex trademarks or graphics (i.e., payment acceptance mark or Amex blue box logo) instead of the approved AEC Button. Payment acceptance marks on your site(s) (as differentiated from the AEC Button) should always be the Amex blue box logo. The AEC Button must always be clickable where implemented. You may not use the AEC Button in place of a payment acceptance mark or Amex blue box logo on your payment site. Amex suggests placing the AEC Button prior to the majority of manual entry fields, to take full advantage of the autofill capability. At all times during the term of these T&Cs, you will: (a) display the AEC Button on your site(s); and (b) place the AEC Button in a manner (e.g., size) consistent with all other auto-fill, checkout or wallet buttons within the designated section of your site(s), as a method of payment on your site(s) for desktop, mobile, and tablet experiences, as applicable, in the United States.
You will not, and will not cause or permit any Merchant Permitted Party to enroll a Card Member to any Recurring Billing (as defined in the Merchant Regulations) in connection with the Amex Service without Amex’s express consent.
You will notify Amex regarding any Card Member complaints relating to the Amex Service. In addition, you will respond promptly to any reasonable follow up inquiries from Amex relating to the foregoing. Amex may make available to you customer complaints FAQs and other best practices guidance, as applicable, and require you to implement the foregoing.
If you have reason to suspect that a third party unlawfully gained access to a Card Member’s Amex Express Checkout login information or any AXP Data, you will provide immediate notice to and reasonably cooperate with Amex to protect the affected Card Member and resolve the matter.
You will ensure that for each Card Member transaction, that Card Member’s shopping cart within your site(s) has all items selected by the Card Member prior to the clicking on the AEC Button.
Once accepted, these T&Cs will remain in effect until terminated by you or Amex. You may terminate these T&Cs at any time by removing the application that is using the Amex Service. Amex may suspend or terminate your ability to use the Amex Service at any time, including as set forth in Section 1 of these T&Cs. These T&Cs will terminate immediately upon the termination or expiration of the CAA. Upon termination of these T&Cs, you will immediately remove the AEC Button from your application. Your continued use of the Amex Service will constitute your continued acceptance of these T&Cs.
In addition to any rights it may have at law, Amex shall be entitled to equitable relief, without posting any bond.
Neither party will issue any press release or public announcement concerning these T&Cs without obtaining the prior written approval of the other party. Notwithstanding the foregoing, from time to time Amex may use your name and logo in connection with sales and marketing activities.
1.1 Data Security Program. Merchant will comply, with respect to AXP Data (“Covered Data”), with the data security requirements and Amex‘s rights as provided in the American Express Data Security Operating Policy—U.S. (“DSOP”). The DSOP requires Merchant to certify compliance with the then-current version of the Payment Card Industry Data Security Standard (“PCI DSS”). Merchant will Process Covered Data per Amex instructions. Merchant Permitted Parties that receive or are granted to Covered Data in accordance with the Agreement, if any, are Merchant’s “covered parties” under the DSOP.
1.2 PCI DSS. Merchant represents and warrants that it will only store Covered Data: (a) in Merchant’s PCI DSS CDE (cardholder data environment); or (b) in an alternative Merchant environment certified as PCI DSS compliant.
1.3 Validation: Policies and Procedures, Third Party Assessments. Merchant will document and promptly provide to Amex: (a) copies of any privacy, data Processing, data protection, data security, encryption and confidentiality-related (i) Merchant policies, procedures, and standards (including escalation procedures for non-compliance) and (ii) third party assessments, test results, audits or reviews (e.g., SSAE 16, SOC I, II and III, SysTrust, WebTrust, or perimeter certifications), or other equivalent evaluations in its possession or control; and (b) any other information requested by Amex to comply with Applicable Law or Amex auditing requirements. Merchant’s perimeter test results may be limited to a summary of findings’ testing scope, number and severity and remediation estimated dates. For the purposes of this Schedule 1, “Applicable Law” means all applicable laws, regulations, rules and guidance pertaining to privacy, data processing, data protection, data security, encryption, and confidentiality.
1.4 Amex Inspections. In order to facilitate Amex’s compliance with its internal policies, procedures and practices, as well as Applicable Law, Merchant will reasonably cooperate with Amex, its designees and government authorities, in connection with inspections of Merchant and Merchant Permitted Parties storing Covered Data, on-site or by phone, and with self-assessment security compliance reviews (including inspections and reviews for privacy, data Processing, data protection, data security, encryption or confidentiality-related compliance). On-site inspections will be performed upon reasonable advance notice during Merchant’s and Merchant Permitted Parties’ regular business hours. In addition, upon Merchant's written notice, Amex will provide its summary findings to Merchant of any material vulnerabilities uncovered in the scans that Amex may perform from time-to-time of Merchant's Internet-facing applications.
1.5 Processing and Material Modifications. Merchant will provide Amex with 90 days’ prior notice of a material modification to the process, method or means by which Covered Data is Processed (including any geographic change). If Amex reasonably determines and notifies Merchant that such modification could materially degrade Covered Data security, then Merchant will not make such modification.
1.6 Vulnerability Scans and Training. Merchant will provide to Amex reasonable documentation of compliance with PCI DSS v. 3.1 requirements 11.2 and 12.6 (or superseding PCI DSS equivalent), and will comply with the foregoing regardless of the volume of card transactions Merchant Processes.
1.7 Corrective Action. Merchant will promptly: (a) take all necessary and appropriate corrective action to cure any deficiencies in compliance with this Schedule 1; and (b) take any action pertaining to unauthorized access, use or disclosure of Covered Data otherwise required by this Agreement or Applicable Law.
1.8 Merchant Permitted Parties. In addition to the obligations set forth in this Agreement, if Merchant Permitted Parties Process Covered Data on behalf of Merchant per Amex’s express approval elsewhere in the Agreement, Merchant will: (a) either (i) ensure that each Merchant Permitted Party acts as a user under Merchant’s written data security program in compliance with this Schedule 1 as if they were a party hereto, or (ii) ensure that each of Merchant Permitted Parties’ written data security program complies with this Schedule 1 via sufficient diligence and oversight; and (b) be responsible for the acts and omissions of Merchant Permitted Parties as if their acts and omissions were made by Merchant.